Re: [squid-users] transparent + reverse proxy + server is posible ? from Amos Jeffries on 2008-04-28 (squid-users)

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 29 Apr 2008 12:05:19 +1200

F. wrote:
> Hello,
> I am thinking about make a [transparent proxy + http accelerator +
> server] on the same machine.
> But I do not know if it is secure this configuration.
> ->Lan to Internet: Transparent proxy using acl LAN, redirected port 80
> to squid port in firewall. Destination all.
> ->Intenet to Server. http accelerator. 80 to 3128 redirected on
> firewall. Destination only server domain names.
>
>
> It's secure?
> Could work fine in the same machine http accelerator and transparent
> proxy with the same squid server?

Using 2.6+ or 3.0+ yes it should work fine.
2.5 and earlier had configuration problems.

Security level is all how you set your ACL and access lines in Squid.
The Server needs to run on a non-80 port or different IP address on the
same box (ie 127.0.0.1)

>
>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl CONNECT method CONNECT
>> acl SSL_ports port 443
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports

I'd advise sticking 443 back in the Safe_ports.
The line above will drop all CONECT requests before they get to be
allowed. Just because the port is !Safe_ports

>> http_access deny CONNECT !SSL_ports
>>
>> acl LAN src 192.168.1.0/24
>> http_access allow LAN
>>
>> acl XENO dstdomain .my.server.com # Destination server from URL
>> http_access allow XENO
>> # Really I do not understand well how to make the union of two prerequisites, that should be:
>> # (source all acl && dstdomain .my.server.com) to allow access from Internet to server.

'all' has no effect when joined unless you want !all. It's always implied.

>>
>> http_access allow localhost
>> http_access deny all
>

Looks like a good setup there for the Access Controls.
Just add 'transparent' and 'accel vhost defaultsite=my.server.com'
option to the matching http_port's

And some cache_peer to handle the accelerator back-end would be very useful.

Amos

-- 
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

Received on Tue Apr 29 2008 - 00:04:48 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT